[strongSwan] Discrepancy in distinguished name for x.509 authentication

Tobias Brunner tobias at strongswan.org
Fri Jan 18 11:21:11 CET 2019

Hi Yogesh,

> To make it work I had to configure 'E' for emailAddress in rightid field
> of ipsec.conf.

Hm, that seems strange.

> I know it is not a big issue and it is working for me with 'E', but
> ideally it should work with exact Subject of x.509 certificate which has
> 'emailAddress' as the field. 

When parsing the strings these identifiers are just mapped to an OID for
that particular RDN and E and emailAddress both map to the same OID.
There is really no difference between the two.  I even added unit tests
to confirm this, see [1] and [2].

Do you have logs that actually show what is compared in each of these
two cases?  (The binary encoding of the identities is logged on level 3
in CFG.)



More information about the Users mailing list